Insertion of Sensitive Information Into Sent Data in n8n - #VU137170

 

Insertion of Sensitive Information Into Sent Data in n8n - #VU137170

Published: July 8, 2026


Vulnerability identifier: #VU137170
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: N/A
CWE-ID: CWE-201
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: n8n
Affected software:
n8n

Detailed vulnerability description

The vulnerability allows a remote attacker to disclose sensitive information and impersonate the configured Google service account.

The vulnerability exists due to insertion of sensitive information into sent data in JWT header generation when using Google Service Account credentials. A remote attacker can obtain or inspect a JWT header containing the full PEM private key to disclose sensitive information and impersonate the configured Google service account.

Only instances using Google Service Account credentials are affected.


Remediation

Install security update from vendor's website.

Sources